*** Welcome to piglix ***

Fibre Channel zoning

Fibre Channel
Layer 4. Protocol mapping
LUN masking
Layer 3. Common services
Layer 2. Network
Fibre Channel fabric
Fibre Channel zoning
Registered State Change Notification
Layer 1. Data link
Fibre Channel 8B/10B encoding
Layer 0. Physical

In storage networking, Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. While a SAN makes available several devices and/or ports to a single device, each system connected to the SAN should only be allowed access to a controlled subset of these devices/ports. Zoning applies only to the switched fabric topology (FC-SW), it does not exist in simpler Fibre Channel topologies.

Zoning is different from VSANs, in that each port can be a member of multiple zones, but only one VSAN. VSAN (similarly to VLAN) is in fact a separate network (separate sub-fabric), with its own fabric services (including its own separate zoning).

There are two main methods of zoning, the two methods being hard and soft, that combine with two sets of attributes, name and port. More recently, the differences between the 2 have blurred. All modern SAN switches then enforce soft zoning in hardware.

The fabric name service allows each device to query the addresses of all other devices. Soft zoning restricts only the fabric name service, to show only an allowed subset of devices. Therefore, when a server looks at the content of the fabric, it will only see the devices it is allowed to see. However, any server can still attempt to contact any device on the network by address. In this way, soft zoning is similar to the computing concept of security through obscurity.

In contrast, hard zoning restricts actual communication across a fabric. This requires efficient hardware implementation (frame filtering) in the fabric switches, but is much more secure. That stated, modern switches will employ hard zoning when you implement soft.

Zoning can be applied to either the switch port a device is connected to OR the WWN World Wide Name on the host being connected. As port based zoning restricts traffic flow based on the specific switch port a device is connected to, if the device is moved, it will lose access. Furthermore, if a different device is connected to the port in question, it will gain access to any resources the previous host had access to. WWN zoning (also called name zoning) restricts access by a device's WWN. As the WWN is on the host, the port the host is connected to can be moved and access is still preserved. Connecting a new device into a port previously used by a WWN zone device will not convey any access to the previous device's resources.


...
Wikipedia

...